From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/8628
Path: news.gmane.org!not-for-mail
From: Brian Mastenbrook <brian@mastenbrook.net>
Newsgroups: gmane.linux.lib.musl.general
Subject: Signed integer overflow in __secs_to_tm
Date: Tue, 6 Oct 2015 19:09:45 -0500
Message-ID: <56177AD6-23A7-44A5-B72B-D139DC14F813@mastenbrook.net>
Reply-To: musl@lists.openwall.com
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Trace: ger.gmane.org 1444176610 15495 80.91.229.3 (7 Oct 2015 00:10:10 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Wed, 7 Oct 2015 00:10:10 +0000 (UTC)
To: musl@lists.openwall.com
Original-X-From: musl-return-8640-gllmg-musl=m.gmane.org@lists.openwall.com Wed Oct 07 02:10:09 2015
Return-path: <musl-return-8640-gllmg-musl=m.gmane.org@lists.openwall.com>
Envelope-to: gllmg-musl@m.gmane.org
Original-Received: from mother.openwall.net ([195.42.179.200])
	by plane.gmane.org with smtp (Exim 4.69)
	(envelope-from <musl-return-8640-gllmg-musl=m.gmane.org@lists.openwall.com>)
	id 1ZjcJ6-0001t4-Lu
	for gllmg-musl@m.gmane.org; Wed, 07 Oct 2015 02:10:08 +0200
Original-Received: (qmail 11717 invoked by uid 550); 7 Oct 2015 00:10:07 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
Original-Received: (qmail 11673 invoked from network); 7 Oct 2015 00:10:02 -0000
X-Mailer: Apple Mail (2.1878.6)
Xref: news.gmane.org gmane.linux.lib.musl.general:8628
Archived-At: <http://permalink.gmane.org/gmane.linux.lib.musl.general/8628>

__secs_to_tm (used by gmtime_r et al) may invoke undefined behavior due =
to signed integer overflow in two places. At __secs_to_tm.c:58, =
400*qc_cycles may overflow. At __secs_to_tm.c:63, there is a nonsensical =
comparison between an already overflowed value and INT_MAX or INT_MIN; =
the compiler will delete this test due to overflow. Here are some =
example values that provoke the overflow:

t =3D -67771633420944000

__secs_to_tm.c:58:[kernel] warning: signed overflow. assert -2147483648 =
=E2=89=A4 400*qc_cycles;

t =3D 67768037838810496

__secs_to_tm.c:63:[kernel] warning: signed overflow. assert years+100 =
=E2=89=A4 2147483647;

These errors were found using KLEE and clang's undefined behavior =
sanitizer together. (Unfortunately KLEE also produced a false report of =
an out-of-bounds access to the days_in_month array due to a solver bug.)

--
Brian Mastenbrook
brian@mastenbrook.net
http://brian.mastenbrook.net/